RE: [PATCH 2/2] Bluetooth: btintel: fix use after free problem in btintel_ppag_callback()
From: K, Kiran
Date: Mon May 20 2024 - 20:20:24 EST
Hi Su Hui,
Thanks for your patch. 'btintel_ppag_callback' has been removed as part of 287da9035b2e.
>-----Original Message-----
>From: Su Hui <suhui@xxxxxxxxxxxx>
>Sent: Monday, May 20, 2024 7:46 AM
>To: marcel@xxxxxxxxxxxx; luiz.dentz@xxxxxxxxx; nathan@xxxxxxxxxx;
>ndesaulniers@xxxxxxxxxx; morbo@xxxxxxxxxx; justinstitt@xxxxxxxxxx
>Cc: Su Hui <suhui@xxxxxxxxxxxx>; K, Kiran <kiran.k@xxxxxxxxx>;
>seema.sreemantha@xxxxxxxxx; linux-bluetooth@xxxxxxxxxxxxxxx; linux-
>kernel@xxxxxxxxxxxxxxx; llvm@xxxxxxxxxxxxxxx; kernel-janitors@xxxxxxxxxxxxxxx
>Subject: [PATCH 2/2] Bluetooth: btintel: fix use after free problem in
>btintel_ppag_callback()
>
>Clang static checker(scan-build) warning:
>drivers/bluetooth/btintel.c:1369:8: Use of memory after it is freed.
>
>'p' is equal to 'buffer.pointer', using of 'p->type' after releasing 'buffer.pointer'
>causes this use after free problem.
>Change the order of releasing buffer.pointer to fix this problem.
>
>Fixes: c585a92b2f9c ("Bluetooth: btintel: Set Per Platform Antenna
>Gain(PPAG)")
>Signed-off-by: Su Hui <suhui@xxxxxxxxxxxx>
>---
> drivers/bluetooth/btintel.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c index
>f1c101dc0c28..d94a8ccd1428 100644
>--- a/drivers/bluetooth/btintel.c
>+++ b/drivers/bluetooth/btintel.c
>@@ -1364,9 +1364,9 @@ static acpi_status btintel_ppag_callback(acpi_handle
>handle, u32 lvl, void *data
> ppag = (struct btintel_ppag *)data;
>
> if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) {
>- kfree(buffer.pointer);
> bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or
>package count: %d",
> p->type, p->package.count);
>+ kfree(buffer.pointer);
> ppag->status = AE_ERROR;
> return AE_ERROR;
> }
>--
>2.30.2
Thanks,
Kiran